A Multilevel Cybersecurity and Safety Monitor for Embedded Cyber-Physical Systems

Abstract: Cyber-physical systems (CPS) are composed of various embedded subsystems and require specialized software, firmware, and hardware to coordinate with the rest of the system. These multiple levels of integration expose attack surfaces which can be susceptible to attack vectors that require novel architectural methods to effectively secure against. We present a multilevel hierarchical monitor architecture cybersecurity approach applied to a flight control system. However, the principles present in this paper apply to any CPS. Additionally, the real-time nature of these monitors allow for adaptable security, meaning that they mitigate against possible classes of attacks online. This results in an appealing bolt-on solution that is independent of different system designs. Consequently, employing such monitors leads to strengthened system resiliency and dependability of safety-critical CPS.

• The paper introduces a hierarchical monitoring framework using event calculus and graph theory to detect hardware, information, and execution integrity breaches.
• The framework is experimentally validated on a Flight Control System, demonstrating effective real-time anomaly detection and fault isolation.
• The study underlines a scalable, layered defense approach that provides robust runtime assurance with minimal performance overhead.

Multilevel Cybersecurity and Safety Monitoring for Embedded CPS

Introduction and Motivation

The paper "A Multilevel Cybersecurity and Safety Monitor for Embedded Cyber-Physical Systems" (1812.03377) addresses the growing vulnerability landscape inherent in complex embedded Cyber-Physical Systems (CPS), with a focus on safety-critical platforms such as flight control systems (FCS). The authors posit that architectural complexity and tight real-time constraints render traditional, perimeter-based and singular-level runtime security mechanisms insufficient. In response, this study develops, formally specifies, and experimentally validates a multilevel hierarchical monitor architecture for runtime security and safety supervision of embedded CPS.

Formal Model: Multilevel Monitoring Framework

A central contribution is the abstraction of monitoring as a hierarchy, where distinct layers target hardware, information, and execution integrity. The monitoring infrastructure is rigorously formalized using event calculus and graph theory, allowing precise specification of detection predicates and their activation criteria. Monitoring is decomposed as follows:

• Hardware Resource Integrity Monitoring (HRIM): Detects and mitigates hardware-level anomalies, such as bus protocol tampering or sensor failures.
• Information Integrity Monitoring (I2M): Verifies correctness and authenticity of sensory and communication data propagated through the system.
• Execution Integrity Monitoring (EIM): Asserts the integrity of firmware and execution flow, e.g., by validating return addresses and preventing code injection or unexpected branching.

The monitors are modeled as vertices in a directed graph, with event calculus predicates labeling state transitions and inter-monitor communications. This facilitates systematic definition of both sequential and parallel monitor composition, including possibility for associative and complementary arrangements.

Threat Modeling and Systematic Placement of Monitors

The authors detail a threat taxonomy covering creation, access point vectors, and exploitation type, mapping these systematically onto the FCS attack surface. Explicit consideration is given to hardware peripherals, firmware/software, and sensor interfaces as domains of vulnerability. Through this analysis, strategic placement and configuration of monitors is derived, ensuring coverage of the most salient adversarial scenarios, including bus baud rate manipulation, physical signal faults, and memory-targeted control flow attacks.

Architectural Implementation

The architecture is realized on a representative FCS platform (STM32F4 ARM Cortex-M4). HRIM and I2M are prototyped on an FPGA for hardware-near enforcement, whereas EIM is implemented on a processor (Raspberry Pi 2) utilizing OpenOCD for live program analysis. The separation between plant and monitoring layers is physically enforced via a crossbar switch, mitigating the risk of monitor co-option and supporting sensor isolation upon intrusion/fault detection.

Key implementation strategies include:

• HRIM: Operates independently of sensor semantics by only interfacing with bus configuration and signal fidelity. Detects interface reconfiguration and initiates sensor isolation, with subsequent automated reconfiguration attempts.
• I2M: Consumes only sanitized data from HRIM, verifying data integrity and enforcing inactivity thresholds for timely sensor disconnection.
• EIM: Employs static-dynamic memory comparison for firmware validation, and inspects branch/return instruction flow to preempt code pointer attacks. If control flow deviation is detected, it enforces a fail-safe operational mode.

Experimental Results

Empirical validation is provided through hardware-in-the-loop fault and attack injection scenarios:

• HRIM detects and isolates bus-specific attacks, including baud-rate modification of GPS sensors during runtime.
• I2M identifies and responds to interface lock-ups and delayed/inactive sensors, with correct propagation of mitigation actions (e.g., crossbar engagement, reconfiguration sequences).
• EIM validates runtime control flow integrity, identifying tampering in branch targets and redirecting system control to a safe landing routine if unexpected transitions are detected.

These experiments underline the benefit of distributed multi-domain monitors, demonstrating prompt detection with minimal system interference and no impact on unaffected subsystems.

Implications and Future Directions

The formal multilevel monitor architecture offers several theoretical and pragmatic advancements:

• Layered Defense-in-Depth: The ability to detect and respond to attacks/faults at multiple architectural levels reduces the likelihood of successful multi-stage attack propagation.
• Runtime Assurance with Minimal Overhead: Distributed monitoring limits the observation and mitigation burden on individual subsystems, optimizing real-time performance constraints—a critical factor for safety-critical CPS.
• Extensibility: The formalism and architecture support scalability, enabling the addition of further specialized monitors (e.g., application-specific mission monitoring) and horizontal integration within layers.

This work provides a theoretical and applied foundation for resilient embedded CPS, showing that multilevel, compositional monitoring architectures can significantly strengthen the security posture without necessitating intrusive redesign of legacy systems. Questions remain regarding the formal synthesis of monitor placement, optimal compositional structures (including assume-guarantee reasoning), and automated tuning of detection predicates under dynamic threat landscapes.

Conclusion

The presented study advances the state-of-the-art in embedded CPS security by introducing and validating a hierarchical, event calculus-based multilevel monitoring architecture. Through concrete realization on a flight control system, the authors demonstrate robust, low-overhead attack and fault detection grounded in formal semantic modeling. The architecture's modularity and extendibility position it as a promising approach for deploying adaptive, resilient runtime assurance in a broad array of safety-critical embedded CPS environments. Future work should investigate broader monitor compositional paradigms and automated threat-adaptive configuration.